Post navigation

Websites with cool interactive content like games used to go for Java.

By embedding a special sort of Java program called an applet in your website, you could add a bit more pizazz than your competitors could manage with plain old HTML.

Then came Adobe Flash, using a programming language called ActionScript instead of Java, but with the same ultimate idea: multi-platform, cross-browser, web-based, real-time, on-line multimedia coolness.

There were downsides to Java and Flash from the start, of course, namely that:

They were “someone else’s” standards, rather than web ones.

They required you to install and manage additional plugins in your browser.

They inevitably opened up additional security holes.

Cybercrooks fell in love with Java and Flash security holes because they often worked in every browser, leading to true “cross-platform” attacks.

Eventually, browser makers and web standards-setters agreed on an alternative approach, called HTML5, that would (or at least could) make both Java and Flash redundant by giving web programmers a way to do cool multimedia stuff right inside the browser.

(To see how cool, try typing the word asteroids in the Naked Security search box!)

As a result, these days you can just use JavaScript in your interactive web pages, instead of using Java or ActionScript.

→ Java and JavaScript are completely different. As a recent Naked Security commentator pointed out, “Java” and “JavaScript” are no more strongly related than “Car” and “Carpet.” They simply start with the same letters.

Sure, HTML5 increases the so-called “attack surface area” of your browser because there are now more tricks you can pull off with JavaScript, and there is more code in the background to go wrong.

But every modern browser supports JavaScript and HTML5 anyway; HTML5 can do the job of Java and Flash; and many if not most websites support HTML5, even if they also support Java or Flash.

Simply put, almost all of us can live without Java or Flash in our browsers, almost all of the time.

Indeed, most of us do live without Java in our browsers these days, because Oracle, which owns Java, no longer enables the Java applet web browser plugin by default when you install the Java product.

Java is mainly used for applications, full-blown software programs that you install locally, so support for in-browser applets is rarely necessary these days.

But Flash has proved harder to eject from the world’s browsers, with lots of people keeping it installed and turned on, and often insisting that they need it, even when they don’t.

The fight against Flash

Apple was the first big brand name to take against Flash in a big way, by the simple expedient of banning it altogether on iPads and iPhones.

If you have an iDevice, you don’t have Flash, and that’s that: it’s all done with HTML5 instead.

Facebook jumped into the anti-Flash wars recently, too, with its newly-appointed CSO coming out swinging on Twitter.

Alex Stamos publicly demanded that Adobe should act to kill off Flash, and to set a date by which all browsers would refuse to support it.

Of course, that was just a Twitter rant.

Facebook doesn’t yet seem to share its CSO’s strident views, because the company didn’t back him up, and still makes use of Flash in your browser if you have it installed.

That’s annoying for those who want to convince the world that Flash is largely superfluous, and thus an unnecessary security risk.

Sites that use Flash “because they can”, instead of just moving to HTML5 for everything, tend to reinforce users who still think they need Flash, even when turning it off would make no visible difference.

Beginning September 1, 2015, Amazon no longer accepts Flash ads on Amazon.com, AAP, and various IAB standard placements across owned and operated domains.

This is driven by recent browser setting updates from Google Chrome, and existing browser settings from Mozilla Firefox and Apple Safari, that limits Flash content displayed on web pages. This change ensures customers continue to have a positive, consistent experience across Amazon and its affiliates, and that ads displayed across the site function properly for optimal performance.

Interestingly that Amazon hasn’t gone all out by banning Flash because of its security risk – the “added attack surface area” it brings to your browser.

Amazon is blaming, if that’s the right word, three of the world’s Big Four browsers instead, because they no longer play Flash ads automatically by default.

Indeed, Amazon’s explicit reason for ditching Flash seems to be that it will improve the consistency of your ad-viewing experience, meaning that your browser’s “click-to-play” Flash option will no longer act as a sort-of implicit ad blocker.

Ironically, even though Amazon’s announcement means that some users will start seeing ads that didn’t appear before, it may actually help to distance Amazon from Adobe’s recent (and rather unpopular) suggestion that ad blockers are a Bad Thing and could cost our economy $22,000,000,000 this year.

9 comments on “Amazon bans Flash ads – but not for the reason you may have hoped!”

Well “Thumbs Up!!” to Amazon… Even if they are doing the right thing for the wrong reason.
I dumped Flash a couple of years ago and rarely miss it. As well I have been advocating to the few sites I need to go to and still use Flash to please discontinue its use as (in my opinion) it lessens my browsing experience (and my security).
As you say, Flash is a redundant technology. Only the admen and Adobe like it. It should have been given a graceful retirement years ago.

What’s supposed to happen when you search for “asteroids” is that a simple but fully-functional Asteroids game appears for you to play. The game is implemented using HTML5 graphics in unexceptionable, non-networked JavaScript. I just tried it on my own iPhone, and the game appeared fine, although it wasn’t playable because I don’t have a keyboard with arrow keys on it 🙂 But my browser kept working, and I could browse through the rest of Naked Security just like before.

The game has been there for more than a year now, and as far as I am aware, we’ve not had anyone complain about crashes of any sort caused by trying to play it in any browser on any operating system.

Note that loading JavaScript into your browser is *not* supposed to be able to crash your browser, whether accidentally or deliberately. That implies a vulnerability in the browser, which means a bug that should be reported to Apple. More importantly, even if your browser does crash when rendering a web page, that should *not* crash your iPad. That would suggest a vulnerability in iOS itself, which means a bug that should be reported to Apple.

In fact, a web page that could crash an iPad whenever it wantedto would be a troublesome vulnerability because it could be exploited deliberately for a Denial of Service (DoS) attack. In other words, it simply shouldn’t be possible even for a sneaky and malevolent crook to crash your iPad from the browser, let alone for a benign JavaScript game to do so. As a result…I don’t really know what to suggest.

All I can think of is to ask, “What have other readers experienced when trying to play our Asteroids on an iDevice? What version of iOS do you have? Which browser did you use? Could you get the keys to work?”

PS. If you have an iPhone, you need to switch out of mobile view first. (There’s a toggle at the bottom of the page.) If you search for “asteroids” from mobile view, you will just get a set of search results for the word “asteroids”:-)

Thank you Amazon , I have Glaucoma and find most things that flash hurt my eyes .Most people will just pass something that is flashing with no problem , but for me the pain it causes is not worth going on some web sites ..So a big thank you to Amazon , also I love my Kindle , so easy on the eyes …

Just to be clear…in this context, we mean “Adobe Flash,” or “Flash” for short (note the big “F”), the name of software made by Adobe that can be used for displaying graphics, games, movies and so on in your browser. We don’t mean “flash” as in to blink on and off rapidly. Ads that are created in Adobe Flash don’t necessarily flash. (And ads that do flash can be implemented without Flash, if that makes sense.)